This is an announcement regarding a security advisory addressing an unauthenticated servlet call vulnerability fixed in the latest version of Firewall Analyzer v12.4.196. PLEASE READ THROUGH THIS POST COMPLETELY to check whether your installation has been affected or not, and if affected, learn how you can resolve it.
Issue and description:
Unauthenticated API key disclosure - There was an unauthenticated access method to obtain the API key that was discovered in the product. This could be exploited by the perpetrator to add an admin user using an API call and carry out admin-level operations.This is a critical security vulnerability. (Refer: CVE-2020-11946)
Who has been affected?
Any Firewall Analyzer installation with build number between 12.3.xxx and 12.4.195 (for product versions v12.3 and v12.4), and build number between 12.5.001 and 12.5.119 (for product version v12.5) could be exploited using this vulnerability.
How did the security team at ManageEngine resolve this vulnerability?
This issue was reported to us by @kuncho, an independent security researcher on April 12. As soon as we were informed of this, suitable authentication measures were added for the API call, and the latest Firewall Analyzer version with the fix, i.e. v12.4.196 was released for all products on April 22, 2020.
How can I identify if my installation has been compromised?
1. Check if there are any new FWA user accounts in the product that look suspicious, by navigating to Settings > General Settings > User management. If there are any, delete that new user profile immediately and contact our support team.
2. Also, you can check the access logs for any unauthenticated requests. Under the "logs" folder in the product installation directory, open access_log.txt and check if any of the following API calls have been made from any external IPs i.e. without the suffix "- localhost" next to the address:
i. sendData - used to expose the API key to the attacker
ii. addUser - possible add user action performed using the obtained key
iii. testNProfile - possible RCE performed on some/all devices in the network
If any of these are noticed in your setup, IMMEDIATELY SHUT DOWN THE INSTALLATION, and contact our support team.
What can I do to fix this vulnerability?
If you're on any of Firewall Analyzer builds till 12.4.195, it is advised to upgrade to Firewall Analyzer v12.4.196 right away from the service pack page of Firewall Analyzer.
For users of Firewall Analyzer version 12.5, it is advisable to upgrade to build 12.5.120 using the link below for each product: Download Firewall Analyzer 12.5.120